| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
This patch makes the access log entries for search, add, mod, del,
and modrdn operations display the authzid that is used when the
proxy authorization control is sent by the client.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If an ACI has a targetattr of userPassword and uses the USERDN
keyword, the ACI may not be evaluated correctly for password
change operations. This is caused by the fact that we use a
dummy target entry to check if the pasword change is allowed early
in the operation. This dummy entry will not have any attributes
that the ACI may use.
The fix is to actually fetch the target entry with all of it's
attributes. We still create a dummy entry if the target doesn't
exist to prevent returning a no such entry error when we should be
returning an access denied or insufficient access error.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=611850
Resolves: bug 611850
Bug Description: fix coverity Defect Type: Error handling issues
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: Check the error return from the functions. In some cases,
I was able to figure out that the calling function should perform additional
error handling (return early, goto error label), but in general the code
just logs an appropriate error message and continues. I was able to get
rid of some more libacl code. I removed an unused variable from modify.c
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
entries before freeing them
https://bugzilla.redhat.com/show_bug.cgi?id=602530
Resolves: bug 602530
Bug Description: coverity: op_shared_modify: compare pre, post and original entries before freeing them
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: Get the pre entry and post entry separately, compare them to
e and to each other before attempting to free them.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
|
|
|
|
|
|
|
|
| |
If a password is changed using the password modify extended
operation, the modify used to modify the password will be leaked
if the change is rejected due to password policy or access control
settings.
This patch frees the mod when the password change is rejected.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change description:
. adding upgradednformat utility to each server instance.
. adding 91upgradednformat.pl for in-place-upgrade.
. implementing ldbm_back_upgradednformat sharing the import/
reincexing codes.
. adding a new DBVERSION ID "dn-4514" for the upgraded db.
. fixing access logs (delete.c and modify.c)
. fixing compiler warnings.
. fixing memory leaks.
. fixing a bug in syntax plugin to free strings.
. adding templates for plugin id, version, vendor, and description,
which are needed for the online upgrade.
. dbversion_write takes an additional bit flags, which indicates
which extra DBVERSION strings are written to the DBVERSION file.
It was introduced for the upgrade tools not to intervene each
other's tasks (e.g., dn2rdn for converting entrydn to entryrdn
and upgradednformat for upgrading the DN format).
. fixing a bug in entryrdn index code which was missing to normalize
RDN.
See also:
https://bugzilla.redhat.com/show_bug.cgi?id=591336
http://directory.fedoraproject.org/wiki/Upgrade_to_New_DN_Format#Migration.2FUpgrade
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix Description:
. adding slapi_dn_normalize_ext and its siblings to normalize/validate
invalid DNs; deprecating slapi_dn_normalize and its siblings. (dn.c)
. replacing slapi_dn_normalize with new corresponding functions.
. normalizing hardcoded DNs (e.g., removing spaces around ',')
. setting correct DN syntax to nsslapd-suffix, nsslapd-ldapiautodnsuffix,
costemplatedn, nsslapd-changelogsuffix, nsBaseDN, nsBindDN
. if nsslapd-dn-validate-strict is enabled, incoming DN is examined and
rejected if it is invalid. Once approved, the DN is normalized.
. fixing compiler warnings and typos.
See also:
http://directory.fedoraproject.org/wiki/Upgrade_to_New_DN_Format
Related bugs:
Bug 199923 - subtree search fails to find items under a db containing special
characters
Bug 567968 - subtree/user level password policy created using 389-ds-console
doesn't work.
Bug 570107 - The import of LDIFs with base-64 encoded DNs fails, modrdn with
non-ASCII new rdn incorrect
Bug 570962 - ns-inactivate.pl does not work
Bug 572785 - DN syntax: old style of DN <type>="<DN>",<the_rest> is not
correctly normalized
Bug 573060 - DN normalizer: ESC HEX HEX is not normalized
Bug 574167 - An escaped space at the end of the RDN value is not handled
correctly
|
|
|
|
|
|
|
|
|
| |
This patch makes the server use the password storage scheme set in
the appropriate fine-grained password policy (if it is set). The
previous code was always using the global storage scheme.
This fix was based off of a fix contributed by Ulf Weltman of
Hewlett Packard.
|
|
|
|
|
|
|
|
|
|
| |
These changes allow the server to be built with OpenLDAP (2.4.17+). A brief summary of the changes:
* #defines not provided by OpenLDAP were copied into slapi-plugin.h and protected with #ifndef blocks
* where it made sense, I created slapi wrapper functions for things like URL and LDIF processing to abstract way the differences in the APIs
* I created a new file utf8.c which contains the UTF8 functions from MozLDAP - this is only compiled when using OpenLDAP
* I tried to clean up the code - use the _ext versions of LDAP functions everywhere since the older versions should be considered deprecated
* I removed some unused code
NOTE that this should still be considered a work in progress since it depends on functionality not yet present in a released version of OpenLDAP, for NSS crypto and for the LDIF public API.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1) Make sure we use "const" consistently
2) Make sure we use "unsigned char" consistently
for some reason (unsigned char)*p did not compare to '\xHH' literals unless the literal was also cast to (unsigned char)
3) added some missing function prototypes
4) removed some unused variables/functions, or commented out for use when debugging
5) various other compiler warnings
With all of these, the code compiles cleanly on RHEL5 x86_64 using
gcc (GCC) 4.1.2 20080704 (Red Hat 4.1.2-44)
and
CFLAGS="-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic"
The only warning now is the spurious message about %llu or %lld having the wrong format argument.
Reviewed by: nhosoi (Thanks!)
|
|
|
|
| |
Summary: Make password modify extop work properly with the password policy control.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Need to address 64-bit compiler warnings - again
Reviewed by: nhosoi (Thanks!)
Fix Description: This patch cleans up most of the other remaining compiler warnings. I compiled the directory server code with these flags on RHEL5 x86_64: -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
I also enabled argument/format match checking for most of the commonly used varadic functions. Most of the problems I found fell into these categories:
1) Too many or not enough arguments e.g. most everything that uses or did use LDAPDebug had extra 0,0 arguments. If they had been switched to use slapi_log_error, I removed the extra arguments - for those places still using LDAPDebug, I introduced more macros to handle the number of arguments, since C macros cannot be varadic.
2) When using NSPR formatting functions, we have to use %llu or %lld for 64-bit values, even on 64-bit systems. However, for regular system formatting functions, we have to use %ld or %lu. I introduced two new macros NSPRIu64 and NSPRI64 to handle cases where we are passing explicit 64-bit values to NSPR formatting functions, so that we can use the regular PRIu64 and PRI64 macros for regular system formatting functions. I also made sure we used NSPRI* only with NSPR functions, and used PRI* only with system functions.
3) use %lu for size_t and %ld for time_t
I did find a few "real" errors, places that the code was doing something definitely not right:
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/acl/aclinit.c_sec4
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/acl/acllas.c_sec17
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/http/http_impl.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/memberof/memberof.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/pam_passthru/pam_ptimpl.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/replication/cl5_api.c_sec5
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/replication/cl5_clcache.c_sec2
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/replication/replutil.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/slapd/libglobs.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/slapd/back-ldbm/dbverify.c_sec2
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/slapd/back-ldbm/ldif2ldbm.c_sec3
This is why it's important to use this compiler checking, and why it's important to fix compiler warnings, if for no other reason than the sheer noise from so many warnings can mask real errors.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
|
|
|
| |
Summary: Made replica_set_updatedn detect value add modify operations properly.
|
|
|
|
| |
Summary: Convert counters to 64-bit capable Slapi_Counter type.
|
|
|
|
| |
Summary: Add support for 64-bit counters (phase 1).
|
|
|
|
| |
Summary: HP-UX: warnings reported by the HP-UX compiler
|
|
|
|
| |
Summary: Added new operation flag to skip writing modifiresname and related attributes. Updated password policy internal operations to use this new flag.
|
|
|
|
|
|
|
|
|
|
| |
Summary: configure needs to support --with-fhs (Comment #6)
Changes: Added the following include next to the end of the copyright block.
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: one byte memory leak in modify
Reviewed by: nhosoi (Thanks!)
Files: see diff
Branch: HEAD
Fix Description: Just call slapi_ch_free_string() with the mod->mod_type. This is safe to call with NULL.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
| |
compilation error
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: memory leaks using ber_scanf when handling bad BER packets
Reviewed by: All (Thanks!)
Files: https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=123783
Branch: HEAD
Fix Description:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179135#c0
I basically did a search through our code for all calls to ber_scanf,
ber_get_stringa, and ber_get_stringal and made sure we properly free any
arguments that may have been allocated. There was a bug in the ldapsdk
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179135 that causes
us to free uninitialized memory when trying to clean up the result of
ber_get_stringal (or ber_scanf with 'V'). I had to initialize some
variables to NULL so that we could properly clean them up, and added
some additional clean ups that were missing. Also, in repl_extop.c, we
were calling free on an array that we should have been calling
ch_array_free on. Yet another lesson in the evils of slapi_ch_free and
disabling compiler type checks in general.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no
|
| |
|
| |
|
| |
|
|
|
|
| |
warnings on Linux; remove pam_passthru from DS 7.1
|
| |
|
| |
|
| |
|
|
(foxworth)
|